Well Known Ramnit Worm Incorporates Tactics from Zeus Trojan to Commit Online Banking Fraud
BOSTON--(BUSINESS WIRE)--Trusteer, the leading provider of secure web access services, today warned that it has discovered the 18 month old file infecting worm Win32. Ramnit has morphed into financial malware and is actively attacking banks to commit online fraud. Ramnit configurations captured and reverse engineered by Trusteer were found to incorporate tactics from the Zeus financial malware platform. Ramnit has borrowed from Zeus the ability to inject HTML code into a web browser, which it is using to bypass two-factor authentication and transaction signing systems used by financial institutions to protect online banking sessions.
“Unlike the past, when financial institutions had to defend against a limited number of malware platforms, attacks can now come from virtually any malicious software program -- old or new. The malware distribution channel for fraudsters has increased in scale significantly.”
The financial malware version of Ramnit was discovered by Trusteer’s fraud analysts using the Trusteer Pinpoint zero-day anomaly detection system and Trusteer Flashlight remote incident investigation system. Ramnit’s command and control servers are located in Germany and are currently live. According to the Symantec Intelligence Report for July, Ramnit accounts for 17.3 percent of all new malicious software infections. This number is consistent with Trusteer's findings that tens of thousands of machines used for online banking are currently infected with Ramnit.
Ramnit was first detected in 2010 and targets .EXE, .SCR, .DLL. .HTML and other file types. File infection is an old school virus technique that is rarely seen in modern financial malware. The evolution of Ramnit into a fraud tool was made possible when the source code of the notorious Zeus financial malware platform was made freely available on the Internet earlier this year. Since then, fraudsters and malware authors have borrowed parts of the Zeus toolkit and incorporated into other malware. Trusteer researchers found the method used to configure Ramnit to target a specific bank is identical to the one used by Zeus. This allows fraudsters who have written configurations for Zeus to easily port their configuration to Ramnit.
“The metamorphosis of Ramnit into financial malware is a sign of things to come now that the Zeus source code has been made openly available to anyone on the Internet,” said Amit Klein, CTO of Trusteer. “Unlike the past, when financial institutions had to defend against a limited number of malware platforms, attacks can now come from virtually any malicious software program -- old or new. The malware distribution channel for fraudsters has increased in scale significantly.”
Trusteer Pinpoint is capable of detecting and blocking Ramnit-related and zero-day fraud within a bank’s web application, while Trusteer Rapport is capable of detecting, blocking, and preventing Ramnit infections on customer computers. More information on Ramnit, its configurations, and the code it uses against various banks is available to Trusteer customers in the Trusteer Situation Room. Additional public information on Ramnit is available in this Trusteer blog post https://www.trusteer.com/blog/ramnit-evolution-%E2%80%93-worm-financial-malware.
About Trusteer
Trusteer is the world’s leading provider of Secure Web Access services. The company offers a range of services that detect, block and remove attacks launched directly against endpoints such as Man in the Browser, Man in the Middle and Phishing. Trusteer services are being used by leading financial organizations and enterprises in North America and Europe, and by tens of millions of their employees and customers to secure web access from mobile devices, tablets and computers to sensitive applications such as webmail, online payment, and online banking. HSBC, Santander, The Royal Bank of Scotland, SunTrust, Fifth Third, ING DIRECT, and BMO Financial Group are just a few of the companies using Trusteer’s technology. Trusteer is a privately held corporation led by former executives from RSA Security, Imperva, and Juniper. Follow us on www.Twitter.com/Trusteer. For more information about our services, please visit www.trusteer.com.
Contacts
Trusteer
North America
Marc Gendron PR
Marc Gendron, 781-237-0341
marc@mgpr.net
or
Trusteer
United Kingdom
Eskenzi PR Ltd.
Neil Stinchcombe, +44 20 71 832 833
neil@eskenzipr.com
North America
Marc Gendron PR
Marc Gendron, 781-237-0341
marc@mgpr.net
or
Trusteer
United Kingdom
Eskenzi PR Ltd.
Neil Stinchcombe, +44 20 71 832 833
neil@eskenzipr.com
Recent Stories from Trusteer
- Tompkins Financial Selects Trusteer to Protect Internet Banking CustomersJuly 13, 2011BOSTON--(BUSINESS WIRE)--Tompkins Financial Corporation has selected Trusteer Rapport to provide retail/business online banking customers with an extra layer of security against fraud, and to meet ... More »
- Trusteer Online Fraud Intelligence and Risk Analysis Service Provides Real-Time Threat VisibilityJuly 13, 2011BOSTON--(BUSINESS WIRE)--Trusteer Situation Room gathers real-time attack information from tens of millions of endpoint devices and thousands of malicious servers to identify threats targeting bank... More »
- Trusteer Helps Financial Institutions Comply with New FFIEC Guidance for Internet Banking using One PlatformJune 30, 2011BOSTON--(BUSINESS WIRE)--Trusteer intelligence-based online fraud prevention architecture enables financial institutions to comply with the new online banking security guidance issued Tuesday by th... More »
